Salesforce as a SAML Identity Provider

To add Salesforce as a SAML 2.0 external integration, you must create a connected app with SAML configuration in the Salesforce organization to enable trust with the service provider (Conga Auth Service). After creating the app, you need external_organization_id, Metadata Location URL, and Organization ID Claim Type details. 

To set up Salesforce as a SAML identity provider, enable your organization as an identity provider and integrate your service provider as a connected app.

You must perform the following settings in the same sequence:

1. Enable Salesforce as an identity provider
2. Enable the single sign-on (SSO) setting
3. Create a SAML-enabled connected app and provide access to users

To enable identity provider setting

1. Log in to Salesforce.
2. Go to Setup, then search and select Identity Provider.
3. Click Enable Identity Provider.
4. Select the self-signed certificate from the dropdown menu.
5. Click Save.

To enable single sign-on setting

1. Log in to Salesforce.
2. Go to Setup, then search and select Single Sign-On Settings.
3. Click Edit.
4. Check the SAML Enabled checkbox.
5. Click Save.

To create a SAML-enabled connected app

1. Log in to Salesforce.
2. Go to Setup, then search and select App Manager.
3. Click New Connected App.

4. Enter the following details in the Basic Information section:
   

   Field	Description
   Connected App Name	Enter the connected app’s name, which displays in the App Manager.
   API Name	The API name is generated automatically based on the name of the Connected App.
   Contact Email	Enter the email address of the administrator managing the Connected App.

5. Fill in the following details in the Web App Settings section. Leave the other field as is.
   

   Field	Description
   Enable SAML	Select the Enable SAML checkbox.
   Entity Id	The globally unique ID of the service provider. Enter the following URL per your environment: Preview environment: https://login-rlspreview.congacloud.com/api/v1/auth Production environment: https://login-rls.congacloud.com/api/v1/auth
   ACS URL	(Assertion Consumer Service) The service provider’s endpoint that receives SAML assertions. Enter the following URL per your environment: Preview environment: https://login-rlspreview.congacloud.com/api/v1/auth/Saml2/Acs Production environment: https://login-rls.congacloud.com/api/v1/auth/Saml2/Acs
   Name IF Format	Specify email address as the format attribute sent in SAML messages.
   Singing Algorithm for SAML Messages	Select the SHA256 option.

6. Click Save.
7. Open the connected app that is created for the SAML identity provider.
8. Click Edit Policies.
9. Go to the Custom Attributes section and make sure to add the custom attribute with the external_organization_id as an attribute key and the organization ID as an attribute value.
10. Click Save.
11. Go to the User Accounts section and add a user account.
12. Go to the Profiles and Permission Sets sections and add profiles and permission sets to provide connected app access to Salesforce users.

With setup complete, you must get the information needed to configure an external integration.

To get the external_organization_id and Metadata Location URL details

1. Log in to Salesforce.
2. Go to Setup, then search and select Manage Connected Apps.
3. Open the connected app that is created for the SAML identity provider.
4. Go to the Custom Attributes section and make sure the custom attribute is created with the external_organization_id as an attribute key and the organization ID as an attribute value.
5. Go to the SAML Login Information section.

6. Use the Metadata Discovery Endpoint as a Metadata Location URL.

   

   • To use Salesforce as an SSO, use the organization's metadata discovery endpoint.
   • To use Salesforce Community as an SSO, use the Community's metadata discovery endpoint.